This thing won't let me execute ANY program..

Started by pnimith, June 23, 2009, 01:46:54 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages 1 2
User actions

pnimith

#15
June 28, 2009, 05:08:22 PM
Ok. I finally got a chance to carry out all the steps asked by Eric the Red, without interruptions.

At this point, I tried clicking about 10 different google results. None of them were redirected...... So looks good so far....

I did all of the steps requested by ETR, except for Kaspersky scan. Although I did run it, twice, it shut down my laptop both the times after about an hour of scan. So I gave up on it and moved on to ComboFix.

Following are the logs from HijackThis and ComboFix.

Thanx GURUS......... This site simply rocks......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:18:59 AM, on 6/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\PN228885\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\PN228885\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = google.net-studio.org
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mail.google.com/mail/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [SmartRAM] C:\Program Files\IObit\Advanced WindowsCare V2\MemCleaner.exe /m
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec AntiVirus\VPTray.exe
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\PN228885\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://c:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {D4003189-95B1-4A2F-9A87-F2B03665960D} (VodClient Control Class) - http://www.tvucricket.com/player/vjocx-en-black.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9f079e3117f14) (gupdate1c9f079e3117f14) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LuComServer_3_1.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O24 - Desktop Component 0: (no name) - http://www.floridashirdisai.org/florida.html#

--
End of file - 11034 bytes












ComboFix 09-06-26.02 - PN228885 06/28/2009 12:47.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.1150.646 [GMT -4:00]
Running from: c:\documents and settings\PN228885\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\PN228885\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
c:\windows\jestertb.dll
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\OWGQYJjl.ini
c:\windows\system32\OWGQYJjl.ini2
c:\windows\system32\sdra64.exe
c:\windows\system32\SKYNETkxjknbfx.dat
c:\windows\system32\SKYNETkxtmnuvb.dat
c:\windows\system32\SKYNETlog.dat
c:\windows\Tasks\qayuvgqq.job
c:\windows\wiaserviv.log
C:\Winvdrv.dll

.
(((((((((((((((((((((((((   Files Created from 2009-05-28 to 2009-06-28  )))))))))))))))))))))))))))))))
.

2012-07-15 21:57 . 2012-07-15 21:58   --------   d-----w-   c:\documents and settings\All Users\Application Data\WinZip
2009-06-23 21:26 . 2009-06-23 21:26   410984   ----a-w-   c:\windows\system32\deploytk.dll
2009-06-23 17:11 . 2009-06-23 17:11   --------   d-----w-   c:\documents and settings\PN228885\Application Data\Malwarebytes
2009-06-23 17:11 . 2009-06-17 15:27   38160   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-23 17:11 . 2009-06-23 17:11   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2009-06-23 17:11 . 2009-06-23 17:11   --------   d-----w-   c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-23 17:11 . 2009-06-17 15:27   19096   ----a-w-   c:\windows\system32\drivers\mbam.sys
2009-06-23 03:35 . 2009-06-23 03:35   117760   ----a-w-   c:\documents and settings\PN228885\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-23 00:16 . 2009-06-23 00:16   --------   d-----w-   c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-06-22 23:43 . 2009-06-22 23:43   --------   d-----w-   c:\documents and settings\nimit patel\Application Data\IObit
2009-06-22 23:31 . 2009-06-22 23:31   --------   d-----w-   c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2009-06-22 21:49 . 2009-06-22 21:49   --------   d-----w-   c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-06-22 21:36 . 2009-03-19 20:32   23400   ----a-w-   c:\windows\system32\drivers\GEARAspiWDM.sys
2009-06-22 21:36 . 2008-04-17 16:12   107368   ----a-w-   c:\windows\system32\GEARAspi.dll
2009-06-22 21:35 . 2009-06-22 21:35   --------   d-----w-   c:\program files\iPod
2009-06-22 21:35 . 2009-06-22 21:36   --------   d-----w-   c:\program files\iTunes
2009-06-22 21:35 . 2009-06-22 21:36   --------   d-----w-   c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-22 21:35 . 2009-06-22 21:35   --------   d-----w-   c:\program files\Bonjour
2009-06-22 21:34 . 2009-06-22 21:35   --------   d-----w-   c:\program files\QuickTime
2009-06-22 21:34 . 2009-06-22 21:35   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple Computer
2009-06-22 21:33 . 2009-06-22 21:33   --------   d-----w-   c:\program files\Apple Software Update
2009-06-22 21:33 . 2009-06-22 21:35   --------   d-----w-   c:\program files\Common Files\Apple
2009-06-22 21:33 . 2009-06-22 21:33   --------   d-----w-   c:\documents and settings\All Users\Application Data\Apple
2009-06-19 01:04 . 2009-06-20 17:10   --------   d-----w-   c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-06-06 17:41 . 2009-06-28 15:18   --------   d-----w-   c:\program files\Mozilla Thunderbird
2009-06-06 17:30 . 2009-06-06 17:42   --------   d-----w-   c:\documents and settings\PN228885\Local Settings\Application Data\Thunderbird
2009-06-06 17:30 . 2009-06-06 17:30   --------   d-----w-   c:\documents and settings\PN228885\Application Data\Thunderbird
2009-06-05 17:57 . 2009-06-05 17:57   75048   ----a-w-   c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-05 01:14 . 2009-06-05 01:14   --------   d-----w-   c:\documents and settings\PN228885\Local Settings\Application Data\assembly
2009-06-05 01:11 . 2009-06-05 01:11   --------   d-----w-   c:\documents and settings\PN228885\Local Settings\Application Data\IsolatedStorage
2009-06-05 01:09 . 2009-06-05 01:10   --------   d-----w-   c:\program files\Virtual Earth 3D

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 16:56 . 2008-11-04 20:17   --------   d-----w-   c:\program files\Symantec AntiVirus
2009-06-23 21:26 . 2005-04-30 05:08   --------   d-----w-   c:\program files\Java
2009-06-22 23:43 . 2008-07-05 03:22   --------   d-----w-   c:\documents and settings\nimit patel\Application Data\ArcSoft
2009-06-21 06:04 . 2009-03-03 15:12   --------   d-----w-   c:\documents and settings\PN228885\Application Data\uTorrent
2009-06-20 18:26 . 2009-01-16 15:02   --------   d-----w-   c:\program files\SUPERAntiSpyware
2009-06-20 01:08 . 2005-04-30 05:38   --------   d-----w-   c:\program files\Google
2009-06-12 00:39 . 2008-09-30 01:13   --------   d-----w-   c:\program files\Microsoft Silverlight
2009-05-25 23:31 . 2009-05-25 23:31   390664   ----a-w-   c:\documents and settings\PN228885\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-25 19:13 . 2009-05-25 19:13   29184   ----a-r-   c:\documents and settings\PN228885\Application Data\Microsoft\Installer\{21AE04E8-EBF6-40DB-9AA9-B7A80C5D057D}\Icon21AE04E8.exe
2009-05-25 19:13 . 2009-05-25 19:13   --------   d-----w-   c:\program files\mkv2vob
2009-05-25 19:12 . 2009-01-16 15:02   --------   d-----w-   c:\program files\Common Files\Wise Installation Wizard
2009-05-17 13:43 . 2005-04-30 04:53   --------   d--h--w-   c:\program files\InstallShield Installation Information
2009-05-16 23:37 . 2007-05-26 01:18   --------   d-----w-   c:\program files\Common Files\Pure Networks Shared
2009-05-07 15:44 . 2004-08-04 08:00   344064   ----a-w-   c:\windows\system32\localspl.dll
2009-04-29 04:56 . 2004-08-04 08:00   827392   ----a-w-   c:\windows\system32\wininet.dll
2009-04-29 04:55 . 2008-09-25 00:19   78336   ----a-w-   c:\windows\system32\ieencode.dll
2009-04-17 09:58 . 2004-08-04 08:00   1846656   ----a-w-   c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2004-08-04 08:00   584192   ----a-w-   c:\windows\system32\rpcrt4.dll
2006-05-03 10:06 . 2009-04-14 21:26   163328   --sh--r-   c:\windows\system32\flvDX.dll
2007-02-21 11:47 . 2009-04-14 21:26   31232   --sh--r-   c:\windows\system32\msfDX.dll
2008-03-16 13:30 . 2009-04-14 21:26   216064   --sh--r-   c:\windows\system32\nbDX.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Google Update"="c:\documents and settings\PN228885\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-15 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-11 339968]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-23 148888]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-04-01 794624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 692316]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2005-02-17 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-12 185896]
"SmartRAM"="c:\program files\IObit\Advanced WindowsCare V2\MemCleaner.exe" [2007-10-29 662016]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-20 52896]
"vptray"="c:\progra~1\Symantec AntiVirus\VPTray.exe" [2006-09-28 125168]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2009-04-29 188728]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-12-10 41042]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 16:05   356352   ----a-w-   c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"c:\\Program Files\\Cisco Systems\\VPN Client\\ipsecdialer.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Online Services\\US_InstallAOL\\Dial-up\\InstallAol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\PN228885\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\PN228885\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"19000:TCP"= 19000:TCP:name2

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [12/22/2008 12:06 PM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/22/2008 12:05 PM 55024]
R2 CVPNDRV;Cisco Systems IPsec Driver;c:\windows\system32\drivers\CVPNDrv.sys [10/8/2005 10:00 AM 267333]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/27/2009 9:02 PM 101936]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [12/15/2004 11:18 AM 200192]
S2 gupdate1c9f079e3117f14;Google Update Service (gupdate1c9f079e3117f14);c:\program files\Google\Update\GoogleUpdate.exe [6/18/2009 9:04 PM 133104]
S3 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [12/10/2008 12:10 AM 24636]
S3 CrystalSysInfo;CrystalSysInfo;\??\c:\program files\MediaCoder\SysInfo.sys --> c:\program files\MediaCoder\SysInfo.sys [?]
S3 EraserUtilDrvI7;EraserUtilDrvI7;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI7.sys [?]
S3 JL2004A;JL2004A Photo Viewer;c:\windows\system32\Drivers\pv_wdm.sys --> c:\windows\system32\Drivers\pv_wdm.sys [?]
S3 JL2008PC;Digital Camera;c:\windows\system32\drivers\jl2008pc.sys [7/11/2005 1:14 PM 125370]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [12/22/2008 12:06 PM 7408]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [9/27/2006 9:33 PM 116464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc   REG_MULTI_SZ      vvdsvc
.
Contents of the 'Scheduled Tasks' folder

2009-06-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-19 01:04]

2009-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3968700586-2473729068-319756498-1009.job
- c:\documents and settings\PN228885\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-15 02:45]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-tgcmd - c:\program files\support.com\bin\tgcmd.exe


.
------- Supplementary Scan -------
.
uLocal Page = google.net-studio.org
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}
mStart Page = hxxp://www.google.com
mWindow Title = Microsoft Internet Explorer presented by Comcast
uInternet Connection Wizard,ShellNext = hxxp://mail.google.com/mail/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\PN228885\Application Data\Mozilla\Firefox\Profiles\0t3pdm7d.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\PN228885\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\PN228885\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 12:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????7?2?9?0??????? ???B?????????????hLC? ??????
  tgcmd = "c:\program files\support.com\bin\tgcmd.exe" /server?cmd.exe" /server

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
   00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1128)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3096)
c:\windows\system32\hnetcfg.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HPQ\Shared\hpqwmi.exe
.
**************************************************************************
.
Completion time: 2009-06-28 13:00 - machine was rebooted
ComboFix-quarantined-files.txt  2009-06-28 17:00

Pre-Run: 23,041,544,192 bytes free
Post-Run: 30,973,833,216 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

257   --- E O F ---   2009-06-11 21:49

Corrine

#16
June 29, 2009, 01:34:42 AM
Hi, pnimith.

ComboFix did the trick.  The developer of ComboFix is absolutely amazing.  Please do the following to implement cleanup procedures and also to reset System Restore points:

Note:  If you use AVG, please exit via System Tray. and then open the AVG 8 Control Center, by right-clicking on the AVG 8 icon on task bar.

  • Click on Tools.
  • Select Advanced Settings.
  • In the left hand pane, scroll down to "Resident Shield".
  • In the main pane, deselect the option to "Enable Resident Shield."
  • To re-enable AVG 8, please select "Enable Resident Shield" again.

Click Start > Run and Copy/Paste the following bolded text into the Run box and click OK:  ComboFix /u



Note: In the event you wish to contribute to the ongoing development of ComboFix, the developer is accepting donations via PayPal.


Now for some final words of advice . . .

A strong word of caution with regard to uTorrent:  P2P programs form a direct conduit on to your computer. They have always been a target of malware writers and are increasingly so of late. P2P security measures are easily circumvented and if your P2P program is not configured correctly, you may be sharing more files than you realize. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program. Use of P2P programs can result in Identity Theft.

Having a firewall, anti-virus and anti-malware software are not enough.  You also need to stay current with security updates.  If you don't have your computer set to automatically install the Microsoft Security Updates, please check for updates now.  For additional information, see my blog post Understanding Microsoft Updates

To check if your system is missing security updates or has insecure applications installed, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:

  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications
Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol, a system monitor, which includes the features described at http://www.winpatrol.com/features.html

Please confirm that you computer is back to "normal" and let me know if you have any questions.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

pnimith

#17
July 01, 2009, 02:46:20 AM
Thanx Corrine...

My laptop has been running fine since my last post.

I am going to check for win updates and definitely try SpywareBlaster and WinPatrol.

Landzdown community, THANK YOU!!! :goodie:

Corrine

#18
July 01, 2009, 02:22:08 PM
Good to hear!  You are very welcome, pnimith. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Print
Go Up Pages 1 2
User actions